Closed Bug 1565797 Opened 5 years ago Closed 5 years ago

Assertion failure: table->kind == TableKind::FuncRef || table->kind == TableKind::AsmJS (cranelift doesn't support AnyRef tables yet.), at js/src/wasm/WasmCraneliftCompile.cpp:524

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1570343
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox68 --- disabled
firefox69 --- disabled
firefox70 --- fix-optional

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Testcase
5.00 KB, text/plain
Details

The following testcase crashes on mozilla-central revision 5030a3fd5ae5 (build with --disable-jemalloc --enable-address-sanitizer --enable-gczeal --enable-optimize="-O2 -g" --enable-fuzzing, run with --wasm-compiler=cranelift):

See attachment.

Backtrace:

==6641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x559fa76eb22e bp 0x7ffc1ffffc50 sp 0x7ffc1ffffc40 T0)
    #0 0x559fa76eb22d in table_tlsOffset js/src/wasm/WasmCraneliftCompile.cpp:522:3
    #1 0x559fa80d6609 in baldrdash::wasm2clif::TableInfo::new::hdbe4785ee348f6da js/src/wasm/cranelift/src/wasm2clif.rs:811:21
    #2 0x559fa80cec22 in baldrdash::wasm2clif::TransEnv::get_table::h3240d43658c7b849 js/src/wasm/cranelift/src/wasm2clif.rs:200:29
    #3 0x559fa80d3ae0 in _$LT$baldrdash..wasm2clif..TransEnv$u20$as$u20$cranelift_wasm..environ..spec..FuncEnvironment$GT$::make_table::h98882cbdb1a88ff7 js/src/wasm/cranelift/src/wasm2clif.rs:503:25
    #4 0x559fa8100345 in cranelift_wasm::state::TranslationState::get_table::hbfed6d35f755a074 third_party/rust/cranelift-wasm/src/state.rs:322:46
    #5 0x559fa80b4c73 in cranelift_wasm::code_translator::translate_operator::hc6028899ff24b123 third_party/rust/cranelift-wasm/src/code_translator.rs:382:24
    #6 0x559fa80ad402 in cranelift_wasm::func_translator::parse_function_body::h20d85a95273cdd03 third_party/rust/cranelift-wasm/src/func_translator.rs:209:8
    #7 0x559fa80acbb1 in cranelift_wasm::func_translator::FuncTranslator::translate_from_reader::h938ea7967302060a third_party/rust/cranelift-wasm/src/func_translator.rs:106:8
    #8 0x559fa80ad066 in cranelift_wasm::func_translator::FuncTranslator::translate::hc4bacae469bc96f4 third_party/rust/cranelift-wasm/src/func_translator.rs:62:8
    #9 0x559fa80a89a5 in baldrdash::compile::BatchCompiler::translate_wasm::h85b3fe3c02f503d3 js/src/wasm/cranelift/src/compile.rs:131:8
    #10 0x559fa809a7ec in cranelift_compile_function js/src/wasm/cranelift/src/lib.rs:92:20
    #11 0x559fa76e6717 in js::wasm::CraneliftCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmCraneliftCompile.cpp:413:10
    #12 0x559fa77eabd5 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:728:14
    #13 0x559fa77ed50b in js::wasm::ModuleGenerator::locallyCompileCurrentTask() js/src/wasm/WasmGenerator.cpp:775:8
    #14 0x559fa77ed50b in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:904
    #15 0x559fa76e0b98 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:557:13
    #16 0x559fa76dff96 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) js/src/wasm/WasmCompile.cpp:580:8
    #17 0x559fa78c93a1 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) js/src/wasm/WasmJS.cpp:1143:7
    #18 0x559fa57b7f34 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:448:13
    #19 0x559fa57b7f34 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:464
[...]
    #32 0x559fa552d029 in _start (js+0x1ca0029)
Attached file Testcase 

    
  
Type: -- → defect
Flags: needinfo?(bbouvier)

    
    

    
  
Nice, coincidentally fixed by bug 1570343 which enabled proper gating for anyref in Cranelift.


Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → FIXED
Resolution: FIXED → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: